发表新帖
发表新帖

How can I allow my user to insert HTML code, without risks? (not only technical risks)

后端 未结
关注
10 805
一生所求
一生所求 2020-12-09 05:41

I developed a web application, that permits my users to manage some aspects of a web site dynamically (yes, some kind of cms) in LAMP environment (debian, apache, php, mysql

相关标签:
10条回答
  • 囚心锁ツ
    2020-12-09 06:12

    You might want to consider, rather than allowing HTML at all, implementing some standin for HTML like BBCode or Markdown.

    0 讨论(0)
  • 我寻月下人不归
    2020-12-09 06:14

    For a C# example of white list approach, which stackoverflow uses, you can look at this page.

    0 讨论(0)
  • 不思量自难忘°
    2020-12-09 06:19

    If you are using php, an excellent solution is to use HTMLPurifier. It has many options to filter out bad stuff, and as a side effect, guarantees well formed html output. I use it to view spam which can be a hostile environment.

    0 讨论(0)
  • 深忆病人
    2020-12-09 06:26

    Rather than allow HTML, you should have some other markup that can be converted to HTML. Trying to strip out rogue HTML from user input is nearly impossible, for example

    <scr<script>ipt etc="...">

    Removing from this will leave 

    <script etc="...">
    0 讨论(0)
 看不清?
提交回复
热议问题